Saturday, February 03, 2007

More on the Apple wifi blunder OR i am no longer gagged

In response to a question on the security focus apple list I decided to reply. Gotta love the lack of gag.

I wrote this (with some edits):

Jon and I didn't discover a serious general 802.11 flaw, that's is where alot of confusion around this issue comes from. We discoveredthat in general 802.11 drivers didn't handle malformed frames very well. The flaws that were discovered (there were far more than one) were specific to certain types of chipsets (atheros, broadcom, etc...). As far as the articles go I didn't write them. If you look at mine and Jon's quotes in each article you will see something along the lines of"this is a systemic problem that affects the entire industry". I am also amused by the fact I wrote about how to find these vulns in a securityfocus article and nobody but HD Moore seemed to care. He added the ability to audit wireless drivers to metasploit. Which is really cool.

As far as when we used a third party card for the video demo. Alot of Mac fans were very upset and felt that it wasn't fair because nobody uses a third party card. That was the entire point of the demo. If we had to do it live and someone got a copy of the working exploit we didn't want it to be in something that actually affected anyone. As far as confirmation you will see we never confirmed publicly which vendors were affected. And once again I never said I wanted to stab the mac community in the eye, I said that about the actors in a commerical.

As a side note I have to mention the statement that Secureworks issued clarifying the video. She (being Lynn Fox) forgot to mention to reporters that statement was created in cooperation between Apple PR and Secureworks PR. Although Apple PR really wanted the statement to be extended to cover any demos given in person (Krebs, anonymous Blackhat employee)Secureworks couldn't do that. Minutes after this was posted Lynn Fox started pitching reporters a story that Secureworks had changed its tune based on the update. If you actually read the Secureworks statement it just covers the video and says nothing I didn't say in the video twice. I suppose her omission of this information was designed to make it appear Jon and I were frauds and thus make a big story. I suppose the headlines "Apple asked Secureworks to clarify their video, Secureworks obliges" would not have been as sensational or given the Mac zealots ammunition to drag Jon and I through the mud for months. She then called my boss at Secureworks at the time and told him she was very sorry the Mac community was taking what she said out of context, and she never intended that to happen. I also find it funny the only real news outlet that ran the Secureworks changes position story was Macword. Here is a funny note, the guy who wrote the story, Jim Dalrymple never contacted Jon,myself, or Secureworks for any reason during the entire fiasco.

It doesn't matter much to me anymore as I have yet to meet a client of Errata Security (the company i formed after leaving Secureworks) that thinks I faked it all, in fact pretty much everyone i meet thinks Apple tried a cover up that blew up into a long drawn out affair, also most Enterprise customers don't care about Apple. Also I am in the process of writing a book about horror stories of when responsible disclosure goes wrong with Apple being the flagship issues. Everything that happened will be detailed. As far as security research into Apple I haven't done much else in the last few months and I flat out refuse to report any issues to Apple security anymore because of two things. One is that i don't trust their PR department not to try and smear me again, i feel that their handling of the Secureworks statement (which again was done at their request) pretty much proved this. The second reason is simple: Apple apparently has more leaks than a sinking ship. How do I know this? Several of the bloggers who were calling for my head on a platter had information I had given to just one person at Apple and that no-one else knew, not even Jon. Its almost like pro-mac bloggers have a hotline to the 2 or 4 person security group at Apple. If a company wants me to keep details of a vulnerability private, they can at least do the same.

So what is the take away from this? It was a very poorly handled situation by everyone involved, except Jon. Jon had no real control of any of this and in the end I realized I didn't either. I lost all control when I allowed marketing people to make decisions about vulnerability disclosure. However I did make some mistakes. I should have never talked to a reporter about something we were not ready to make public. I should have realized Apple would have responded the way they did and just dropped full details of the exploit or not said anything at all. The PR war Lynn Fox waged against me was only possible because she knew i was forbidden from defending myself. With that being said I have never been a fan of full disclosure, and I am still not, unless its a vendor that has acted in bad faith. How could it have been handled differently by Apple? I have reported alot of vulnerabilities to alot of vendors and never once have I had the PR department respond to something. Take the Dell and Toshiba Bluetooth stack issues. We reported it to security, we worked with the engineers to fix it (and strangely information we gave to the engineers didn't end up on blogs), and only after everything was fixed(the process took about a month and a half) did we talk to their PR group to coordinate a joint release.

With all this being said I am shopping for a new TV to make best use of my new Apple TV when it arrives. I write this on a new Macbook Core Duo 2 while listening to my ipod play an audiobook (World War Z) that I bought from iTunes. If you didn't know better you could also say I am a walking commercial for Apple.

My question is, if the problems that you discovered, were platform agnostic, and could be executed on any machine running certain wireless chipsets, then why all of the focus on and venom spewed toward Apple? Why even use an Apple in your demo in the first place? If the exploit could have been executed on a Dell, Lenovo, or Sony machine (sorry I don't know if any or all of those have the wireless chipsets that contain the exploit you found), why not run the exploit on one of those windows based machines, and be done with it? Why go to 2 different security conferences with a MacBook in hand, and then let your words get twisted (giving you the benefit of the doubt over someone like Krebs) into a sensationalist headline of "MacBook hacked wirelessly in 60 seconds". It comes off as a calculated PR stunt to gain yourself more attention, and that notion only seems more likely when you make the Anti-Mac remarks (I feel you should have know those remarks would have been blown out of proportion and come back to haunt you).

Lets be honest, if you had done this all on Dell/Lenovo/Sony hardware, for the most part your findings would have drawn a collective yawn from everyone, and the issue would be an mole hill compared to the mountain that you helped create. Even if you had added at the end, "we can even replicate this issue on some Mac Hardware", it would have gotten peoples attention a bit more than if it was isolated to the windows platform, but still not an all out war of words that Kreb's article triggered.

My advice to you is to own the comments that you made, and realize that there were much better, and less dramatic ways to present your findings. Hopefully you have learned from this. Of course, the cynic in me would have to say that had your presentations not been reported in such a way that it seemed like you were out to target Apple and their so called "smugness", I really doubt you would have much content to then write a book about the experience.

Lastly, on a somewhat unrelated topic, regarding Vista security, I have a differing opinion when it comes to what Vista is offering to Windows users now in terms of security. The first being, that you probably will not see widespread adoption of Vista for a good 12-18 months and even then I would be surprised if more than half the user base has transitioned. So while it might be more secure, that still isn't going to mean squat to the millions of PCs that are out there running XP or some older Windows OS. Secondly, Microsoft has to simplify the warning process so that does not become such a nuisance that users just start hitting "allow" ever time the alert window pops up. I am not sure what, if any experience you have with dealing with end users, but they tend not to be too worried with dialog boxes that pop up to often, other than to beg that they go away. Since company policy should be that the security features are always enabled, you will start to find exploits/ Malware that is being "approved" by the user, because they see the "allow/Deny" window so often, and have so little understanding of what each warning might mean, they will start to actually allow viruses and malware to be installed on their machines, since it is will have become a natural reflex to click "allow" every time the warning start popping up.

No system is 100% secure... I remember that from a 1980s movie... WarGames maybe?